Introduction

The COVID-19 pandemic has resurfaced age-old discussions about how to appropriately balance public interests and privacy against measured surveillance that leads to better safety and health outcomes. As part of a multi-pronged approach to fight the pandemic, traditional public health authorities rely on a strategy comprised of social distancing, contact tracing, and isolation to reduce the spread of the disease.1 When there is a confirmed case or when an individual displays symptoms of the virus, teams of investigators identifies the other people that came into contact with that individual and efforts are made to notify and isolate those individuals—these processes broadly make up exposure notification and contact tracing. One challenge with the COVID-19 pandemic is that up to half of transmissions occur from pre-symptomatic individuals.2 According to recent studies from the University of Oxford, this means that manual contact tracing is not fast enough to slow transmission.3 This presents a challenge whose solutions have both risks and rewards.

In the era of COVID-19, one of the most accessible and cost-effective ways to collect such information is by using metadata about an individual’s interactions and locations, as recorded by their smartphones and mobile networks, to create a digest of the places that person has been and the people they have come into contact with. This technology can be used to conduct more timely, accurate, and efficient contact tracing than the traditional, manual efforts. A model at the University of Oxford projects that mobile phone applications implementing instantaneous contact tracing could help reduce the average number of people infected by each infected person to under 1.0, under the threshold for preventing the virus from spreading further.4 Countries such as Singapore and South Korea have been relying on digital tools to facilitate contact tracing, including mobile alerts for those infected and public heat maps that show places with high rates of infection.5

These concerns, however, are not without cost. Citing the severity of the threat posed by COVID-19, government entities, network providers, and affiliated technology companies have obtained great latitude in deploying sweeping surveillance measures. These measures temporarily reduce individual privacy, represent new opportunities for collective and individual exploitation, and usually favor short-term thinking over long-term thinking. Privacy activists have raised important questions about how governments acquire and use this data, how it is stored, how long these measures will be in place, what oversight mechanisms exist, and how it is otherwise possible to effectively limit the ability of authorities to abuse these new digital tools after the pandemic is over.

Specific questions in this crisis also examine the actual effectiveness of these apps. While many tech evangelists see this as an opportunity to experiment and deploy the latest and greatest technology, many exposure notification apps generate false positives, placing undue hardship on users of such apps. If data is leaked, patterns of behavior and interaction can be aggregated, exploited, and published for the world to see. For example, there are greater opportunities for people to be blackmailed can be blackmailed if they visit locations that are taboo. Algorithmic redlining and zoning can lead to new forms of discrimination.6 Then, at a macro level, these gradual erosions of trust will further reduce trust between individuals and the institutions governing them.

This perennial tug-of-war between a need for privacy and active government intervention will persist far beyond this virus. The reality is that even after the danger of COVID-19 subsides, there will be many challenges to the way that people organize and govern themselves. As a practical matter, this means that governing bodies around the world will face challenges for judicial review, regulatory reform, and the passage of new laws and regulations to manage the risk from this and other crises. Yet, understanding this balance of proportionality between exercising executive power, preserving individual privacy rights, preserving collective privacy rights, and achieving epidemiological utility is one fraught with questions and concerns that lack any sort of global consensus. This paper is not an in-depth critique of the proportionality of any specific government’s choice of action. Rather, this paper aims to survey that various approaches that combine the use of applications, tools, and legal strategies deployed by several countries around the world combating COVID-19.

Proceeding in two parts, this paper first provides an overview of the different legal and technical efforts carried by a selection of countries or cities to combat the disease. The second part explores the potential legislative, technical, and legal mechanisms to improve these efforts.

Part I: Overview of Legal and Technical Efforts Deployed to Combat COVID-19

South Korea

As the gravity of the pandemic takes hold, South Korea has been aggressive in its efforts to tackle the coronavirus. The process to eliminate the spread of the virus in South Korea has been divided into four stages: (i) investigation, (ii) exposure risk assessment, (iii) contact classification, and (iv) contact management.7 During the investigation phase, basic information, including a patient’s activity history, is collected by an interview process of the patient, family members and healthcare workers.8 To the extent supplementary information is required during the risk assessment stage, more granular information such as medical records, cellular GPS data, credit card transaction information, and CCTV footage may be collected.9 Contacts identified based on the collected information are subject to self-quarantine along with mandatory health education and symptom monitoring.10

These measures are being amplified through the use of technological tools. According to the Yonhap News Agency, a government-funded media agency, the Korea Centers for Disease Control and Prevention (KCDC) initially had to request for data such as closed-circuit television (CCTV) footage and credit card transactions of confirmed patients from police investigators.11 A new data platform co-developed by the Ministry of Science and ICT, the Ministry of Land, Infrastructure and Transport and the KCDC was launched on March 26, 2020 and allows data from confirmed patients to be provided to health investigators and analyzed proactively.12 The Korean National Police Agency, the Credit Finance Association, South Korea’s three mobile carriers, and 22 credit card issuers are working together to provide data and other insights.13 The platform is based on a smart city data hub program developed by the central government and the municipal government of Daegu. 14 15 As a tool for big data analysis, the platform produces insights for cities that want to launch new smart services using data related to traffic, energy use, environmental quality, and safety.

With these digital tools in place, health officials are able to correlate interview results with patient location maps via data uploaded to this platform, developing a comprehensive overview of who has been infected and where they have been. Moreover, this type of big data analysis provides officials with real-time data feeds on confirmed patients, including their whereabouts and the time spent at each location.16 Armed with this information, the platform can facilitate the epidemiological evaluation of cases by looking at different clusters and disclosing the source of transmission. Contrasted against traditional measures used in the past, these new methods do not require numerous exchanges of documents and phone conversations among South Korea’s 28 relevant agencies.17 The government has claimed that this platform can enhance the accuracy and efficiency of contact tracing by reducing the lead time for identifying cases from 24 hours to less than ten minutes.18 A reduced workload of health officials can also ensure quicker government response to avoid further spread of the disease.19

In addition to monitoring the spread of the disease, applications have been developed for those who have received a positive infection. Anyone who has come into contact with a confirmed carrier is subject to a mandatory, two-week, self-quarantine.20 Once self-quarantine subjects receive an order from their local medical center, they are legally prohibited from leaving their quarantine areas and are instructed to maintain strict separation from other people including their family members.21 Those in lockdown are assigned to a local government official, who is authorized to track the development of any symptoms, and mobile testing teams are deployed to collect samples if the situation worsens.22 23

Technology is used to aid these traditional processes by the application “Self-Quarantine Safety Protection,” (see Fig.1), which was developed by the Ministry of the Interior and Safety and allows those who have been ordered not to leave home to stay in contact with caseworkers and report on their progress.24 Self-Quarantine Safety Protection also uses GPS to keep track of the location of confirmed patients to ensure they are not breaking their quarantine.25

Other tools in the South Korea ecosystem include those meant to aid those in the public seeking to avoid contact with COVID-19, among them are the “Corona 100m” application, which alerts users when they come within 100 meters of a location visited by an infected person,26 the Coronamap, which is a website that shows the travel histories of confirmed COVID-19 patients,27 and Coronaita, which aims to function like a search engine for information on coronavirus-hit areas.28

These measures, however, are not without a cost. During South Korea’s fight against the virus, digital footprint of all citizens are visible to the government, part of the private sector, and, in some cases even some members of the public. For example, when a person tests positive, the city or district he/she inhabits might send out an alert to people living nearby about the movements he/she made prior to being diagnosed.29 An alert can contain the infected person’s age and gender, as well as a detailed log of their movements down to the minute.30 Other countries, including Singapore, release data such as the age or gender of confirmed patients, but nothing as detailed as in South Korea. In some districts, disclosure of public information includes which rooms of a building the person was in, when they visited a toilet and whether they wore a mask.31 Even overnight stays at love motels are reported to have been noted.32 33 It is reported that on April 7, 2020, as a measure to reduce any flouting of mandatory quarantine orders, the South Korean government proposed to impose self-isolation electronic wristbands on confirmed patients. The suggestion was opposed by the Ministry of Health and Welfare due to the potential human rights violation.34 Beyond the short term impact, however, many long term repercussions remain unknown. However, it is likely that the perception of individual privacy within South Korea will be forever minimized.

Underwriting the large-scale government effort and high-level openness to mobilize resources is an established legal apparatus that sets a limit on the duration of the data usage. Under Article 76-2(4) of the South Korea’s Infectious Disease Control and Prevention Act (IDCPA), the information collected will be destroyed when the “relevant tasks have been completed.”35 The South Korea government further clarified that the data collection efforts will end when the coronavirus outbreak is over and that all personal data might be deleted.36 Despite the extensiveness of surveillance and data sharing, the Korean public broadly supports the government publishing individuals’ movement argued Youngkee Ju, a researcher in health journalism at Hallym University in Chuncheon.37 In a 1,000-person survey published in February and March, most respondents supported the government sharing travel details of people with infectious details and preferred the additional safeguard for public good over individual privacy rights.38

Hong Kong

Hong Kong was one of the first cities in the world paralyzed by the virus. After a brief period of recording low case numbers, Hong Kong was hit by a second wave of outbreak in late March.39 As residents returned to the country from work trips, study abroad programs, or to seek safety after outbreaks in other cities around the globe, many inadvertently brought the virus back with them. This migration threatened to drive up the rate of infection which had at least been somewhat under control.40 As a result, the Hong Kong government implemented a series of additional, stringent restrictions including a mandatory 14-day quarantine for inbound travelers.41

Like South Korea, Hong Kong has looked to the use of technological tools as a way to boost the abilities of their constituents. Ensuring the efficacy of traditional quarantine efforts requires a great degree of human interaction in order to maintain compliance with a quarantine order. Many of these analog solutions are difficult to implement, costly, and might risk the health of those staying in close proximity to one another. Hong Kong’s efforts have been furthered by the work of a team of researchers and engineers, led by Professor Gary Chan of the Department of the Computer Science and Engineering and Director of Entrepreneurship Center at The Hong Kong University of Science and Technology. This team led the design of an automated geofencing technology called “Signature Home,”42 which has been used to develop a mobile application called “StayHomeSafe.”43 (See Fig. 2 & 3)

The app has been used by the public since March 14, 2020 as a way to monitor people under home quarantine.44 Paired with an electronic Bluetooth wristband, the app can detect whether the detainee is complying with the requisite quarantine order and alert the relevant authorities about non-compliance.45

The key idea of the Signature Home geofencing technology is that the collective signal variations within a certain location are unique to that location, forming a sort of multi-factor “signature” for each user.46 The technology collects data from various connections made by the user, including environmental signals such as Wi-Fi and Bluetooth in the dwelling place as its signature.47 If a newly collected signal variation deviates from the signature, it is likely that the person has left the designated location in breach of the mandatory quarantine rules.48 By continuously collecting and understanding the change of the composition of signals collected in a place, aided by machine learning and data analytics techniques, Signature Home manages to adapt to changes to the home environment to ensure more accurate monitoring.49 As with other machine learning and data analytics technologies, there is a risk of false-positives, especially early on as data is being trained. Many of these technologies will need to be fine-tuned over time and limited in scope to specific use cases where repetition is easily identifiable.

Stepping up the monitoring effort, short message service (SMS) instructions on activating the “StayHomeSafe” mobile app have been sent to all inbound travelers arriving in Hong Kong since March 20, 2020.50 In less than a day, over 7,400 new monitoring wristbands were distributed to people arriving in Hong Kong by air in conjunction with the “StayHomeSafe” mobile app.51 Armed with this new technology, Hong Kong managed to flatten the second curve of infections without resorting to the kind of complete lockdowns that are paralyzing economies elsewhere. As of May 5, 2020, the city reported no new community infections for over a period of 15-days.52 Since then, the city has started to ease restrictions and cautiously reopen its economy.53

Singapore

The primary focus of Singapore, in combating the spread of COVID-19, has been on contact tracing. The small, island nation has developed a contact-tracing application, “TraceTogether”54 (See Fig. 4), which can can identify people who have been in close proximity – within 2 meters for at least 30 minutes – to identified coronavirus patients, according to its developers, the Government Technology Agency (GovTech) and the Ministry of Health (MOH).55 56 While use of the app is not compulsory, those who use it must enable Bluetooth in their smart phones to allow tracing.57 Users also need to enable push notifications and location permissions in the app. The app uses encrypted short-distance Bluetooth signals that are exchanged between phones to detect other users in close proximity.58 Official contact tracers will provide a code that users can match with a corresponding verification code on their app.59 When requested by MOH, users can send their TraceTogether logs to facilitate the contact tracing process.60 Up to that point, the authorities, including the MOH and GovTech, have no knowledge of the users’ TraceTogether data.61 62

The government claims that the app only records who they might have been close to and that it does not record location data or access the phone user’s contact list. Data logs are stored on phones in encrypted form for only 21 days.63 The data that is collected by the government through this app is the user's mobile number, so that the MOH can contact users quickly if they were in close proximity with an infected case, allowing for easier identification of potential cases and helping to curb the spread of the coronavirus. When contacted by contact tracers, users will be asked to share their data logs. If they refuse, they can be prosecuted under the Infectious Diseases Act (IDA) and any regulations promulgated thereunder.64 Further, health officers appointed under Section 55A of the IDA have the power to require any person to furnish any information within his/her knowledge or to produce any book, document or other record, to investigate any suspected outbreak or prevent the possible spread of an infectious disease.65

On the downloading sites for Android users66 and iOS users,67 TraceTogether expressly states that its functionality will be suspended after the pandemic subsides. While many of the challenges facing other contact tracing apps will be faced by TraceTogether, exploiting the technological apparatus remains at the forefront of the Singaporean government to help reduce the impact of the virus.68 Recently, the National Parks Board and the Smart Nation and Digital Government Group of Singapore conducted a pilot trial of a four-legged robot called SPOT to assist safe distancing efforts at parks, gardens and nature reserves at local parks.69 The cameras fitted on SPOT will not be able to track and/or recognize specific individuals, and no personal data will be collected.70

China

In China, cases of COVID-19 have reportedly declined at a steady rate since peaking in mid-February 2020, which is at least partially attributable to more draconian measures that the government enacted in order to contain the spread of virus. While some of these measures would be deemed controversial in democratic societies, the combination of technologies, including apps for tracking individuals and pervasive use of CCTV cameras, and in-person enforcement efforts by the Communist Party demonstrates one way strong, top-down governance, early quarantine, and early treatment aided by technology can be deployed to reduce the global spread of the COVID-19.

In Guangzhou, the capital and most populous city of the Guangdong province in southern China, big data technology has been used to track locations and connections, screen priority cases, and effectively forecast the development of the pandemic in real time.71 By mid-February 2020, Guangzhou managed to track and diagnose 10.18 million people in the community and located 377 individuals with fever and other related COVID-19 symptoms.72 According to The Paper, a state-funded Chinese media site, the government confirmed that a restaurant owner and his son in Wenzhou, a city in China’s Zhejiang province, were infected and tracked their location and activities for fifteen consecutive days.73 Supported by mobile data made available to the government by three major local mobile operators, more than 3,615 people who passed by the restaurant during this period were located and notified through SMS.74 With the aid of technology, a total of 40 people who had visited the restaurant have been identified and were required to get tested in order to decrease the spread of COVID-19.75

As the pandemic spreads throughout the country, many see big data tracking as one of the most accessible ways to stop the spread of COVID-19. The Ministry of Industry and Information Technology of the People’s Republic of China launched a new service allowing Chinese telecom subscribers to receive a list of provinces and cities visited within the last fourteen (14) days via SMS. The country’s three state-owned mobile service providers – China Mobile, China Telecom and China Unicom – started sending SMS to users asking for authorization to access their location data.76

Perhaps the most omnipresent surveillance tool China has introduced is the use of a “health code” classification system called the Alipay Health Code. According to Xinhua Press Agency, the official state-run media agency in China, Alipay Health Code was first introduced in the eastern city of Hangzhou on February 11, 2020.77 This project was completed by the local government with the help of Ant Financial, an affiliate of the e-commerce giant Alibaba, and its online payment platform, Alipay.78

After the users add their personal details in the system, Alipay Health Code (see Fig. 5) generates a QR code in one of three colors.79 A green code enables its holder to move freely without restriction, a yellow code means that the person may be asked to stay home for seven days, and a red code means that the person is subject to a mandatory 14-day quarantine.80 To change from red to green, a detainee would need to show improved health status on a regular basis. Alipay Heath Code has become an integral part of the authorities’ management of people’s movement into and out of the affected areas.81 In Wuhan, the city where the virus was first reported, only those with a green code can take public transportation.82 As of March 31, 2020, this system is already in use in 200 cities and has been rolled out nationwide.83

It was reported that Ant Financial does not provide or operate the service and has no access to the data amassed on its platform.84 The software was designed solely in support of the Hangzhou city government.85 Similarly, WeChat, a messaging app owned by tech giant Tencent with over a billion monthly users, worked with authorities to build its own health code system.86 It collects basic identity and address details as well as a history of close contact with suspected patients, history of travel and history of residence.87 The app draws on medical information including symptoms, medical treatment, isolated observation, contact information, travel history of the epidemic area, and the user’s travel history including the mode of travel and what seat they sat in, as well as details on the vehicle and its driver.88 Currently, neither Ant Financial, WeChat, nor Chinese officials have explained in detail how the system classifies people in the country. These platforms have caused great confusion among citizens in China and false classifications examples abound.89

China has long had a history of using big events to implement surveillance measures that outlive their original intended purpose; examples of this include the 2008 Beijing Olympics and the 2010 World Expo Show in Shanghai.90 The continued dissemination of personal data to authorities blurs the already thin line between Chinese tech companies and the Chinese government and continues a general trend toward something resembling a social credit score. According to the New York Times analysis, as soon as a user grants the Alipay software access to personal data, a piece of the program labeled “reportInfoAndLocationToPolice” sends the person’s location, city name and an identifying code number to a server.91 The software does not make clear to its users this connection to the police. However, according to Xinhua Press Agency92 and an official police social media account,93 law enforcement authorities were privy to the system’s development. The most striking aspect of all was the overt passage of private citizens’ data through a one-way, government-controlled valve, a practice that had previously been inferred rather than direct. If nothing else, this absolute collaboration between government and the private sector can serve to indicate what the tradeoffs between privacy and utility might be. The continued compliance of data-driven technology companies operating in China under the mandate of a powerful one-party state will remain deeply impressed in the fabric of mainstream operation execution and the long-term effects of this collaboration remain to be seen.

United States

Like China, Singapore, and South Korea, the United States has been similarly impacted by COVID-19 and have taken a more privacy preserving approach to combatting the pandemic. As of May 9, 2020, the United States remained the country with the highest number of confirmed cases of COVID-19.94 According to the Guidance Regarding Methods for De-identification of Protected Health Information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services has strict rules on the disclosure of cases in each city, as well as according to age, race, and geographic region of residence.95 96 So far, the statistics of confirmed patients released by the US governments at all levels have been limited to counties, not specific cities.97

The same legal levers in Asia that enable widespread surveillance measures have no comparable analogue in the United States. This difference can be best explained by an advocacy of privacy and civil liberties protection – a value that is deeply entrenched in the American constitutional spirit, as well as it being a deep-seated construct of the collective American identity. As a result, data sharing American researchers often lack the availability of data to more granular analyze and forecast the spread of COVID-19, unlike governments in other countries who are harnessing a wealth of information from their more centralized medical systems.98 Critics of the limited public reporting have argued that this lack of data prevents the country from effectively curbing the spread of the virus.99

The United States’ broad, federalist approach contrasts sharply with that of the small, more centralized one employed by Singapore, which has fought the virus effectively by publishing anonymized data about suspected linkages of cases.100 The Singaporean authorities sometimes list neighborhoods where the patients lived, as well as their workplaces and the churches or mosques that they attended.101 Moritz Kraemer, a leading researcher at Oxford University whose research team is mapping the global spread of the coronavirus, argued that there was wide demand for data on the disease across the scientific community and that it needed to be tabulated to facilitate detailed analysis.102 His research was aided by the breadth of the data collected in countries such as China, which includes, among others variables, a patient’s age, sex, travel history and history of chronic disease, where the case was reported, and the dates of onset of symptoms, hospitalization and confirmation of infection.103

The United States consists of a mix of federal and state laws on privacy. Some federal statutes address specific sectors, such as financial services or healthcare, whereas state-level legislation addresses a wide range of other issues and often differs from state to state. This segmented approach and the lack of a federal privacy regulation, however, has led to inconsistent data collection and a more opaque understanding of cases throughout the United States, as well as burdens on the local and states governments that are tasked with piecing together a solution comprised of divergent methodologies.104 Often, there is a breakdown between what data states collect, what data cities collect, and what data counties collect. For example, Connecticut lists data by town.105 Florida provides its residents with extensive data on the cities affected, the number of people tested, the age brackets of patients, whether they are Florida residents, and the number of cases in nursing homes.106 107 Health departments in the Bay Area have made a case against detailed disclosure of information due to concerns that releasing more granular data will lead to heightened discrimination against certain Asian communities in which clusters of COVID-19 may occur.108 And while all of this information can be aggregated in dashboards created by others, like the John Hopkins University dashboard for United States cases by county, it remains to be seen whether a more centralized system could have reduced the spread more effectively and what long term impacts this might have on the economy, the trust of the citizens, and the downstream health consequences.109

European Union

By comparison, the European Commission (EC), in the face of an avalanche of confirmed COVID-19 cases, has kick-started a discussion with mobile phone operators about the provision of aggregated and anonymized mobile phone location data.110 The plan is to analyze mobility patterns including the effects of confinement (and de-confinement) and social distancing measures, and thereby assess the risk of contagion. This would be an important and arguably more proportionate input for tools that are modeling the spread of the virus and would allow the EC to assess the efficacy of the measures that have been taken to contain the pandemic.111 112

In the same regard, EU telecommunication companies have been sharing aggregate data with various agencies to develop new application. For example, Orange in France is sharing aggregated and anonymized mobile phone geolocation data with Inserm, a local health-focused research institute, to enable them to anticipate and manage the spread of the pandemic more effectively.113 The research focused on examining the spontaneous changes in mobility occurring before and during the lockdown, and their impact on the evolution of the pandemic. The data will be integrated into models of pandemic spread developed by the research team, which would improve predictions of the spread of the virus and identify regions at risk of becoming clusters and of having their healthcare systems overwhelmed.114

Part II: Limiting the Unintended Consequences of Surveillance

There is no doubt that the development of digital technology holds the promise of great benefits to humankind. The migration from analogue to the digital world is continuing at a rapid pace. Humans are awash in data. However, data is often misinterpreted or overused without adequate safeguards.

Amidst imposed lockdowns and restrictions on freedom of movement, law enforcement agencies are finding themselves playing a critical role in halting the spread of the virus while also preserving public safety and social order. As a result, human rights, civil liberties, and fundamental principles of law may be compromised if the government does not navigate these challenges carefully. The remainder of this section fleshes out some general strategies that should be considered, based on the preceding analysis, when implementing law and computational solutions together.

Legislative Oversight

One option to reduce the potential for abuse is to build cohesion at the legislative level. The European Data Protection Board (EDPB) of the EU issued a statement on March 16, 2020 giving a clear framework for the processing of personal data under the General Data Protection Regulation (GDPR) during the pandemic.115 The GDPR provides rules to govern the application of processing personal data in the current context of COVID-19, laying out the legal grounds for employers and competent public health authorities to process personal data in the context of pandemics without the need to obtain the consent of data subjects.

For the processing of electronic communication data such as mobile location data, additional rules apply. The ePrivacy Directive stipulates that location data can only be used by the operator when they are made anonymous or with the consent of the individuals. Public authorities of member states should aim to process location data in an anonymous way by aggregating data in such a way that it cannot be reversed to personal data.116 A member state is obligated to put into place adequate safeguards, such as the right to judicial remedy.117 It is important to note that, according to the EC, the data collected will only be kept as long as the crisis is ongoing, and the collection will be fully in compliance with the ePrivacy Directive and the GDPR.118

On March 21, Frankfurter Allgemeine Zeitung, a German newspaper, reported that the German health ministry had drafted changes to a law called the Infection Protection Act that allow, among other things, the tracking of people who were in contact with those infected with the coronavirus.119 This act carefully sets a legal boundary for regulating the use of personal privacy data and avoiding the legal risks of unauthorized use.

In South Korea, the prevailing public health law provides the government with an adapted legal apparatus to activate collective effort to combat the disease. The law itself is the upshot of the painful lesson learned in the 2015 Middle East respiratory syndrome outbreak, which saw the South Korean authorities struggling to reduce the gravity of the infection after a delayed initial response. The epidemic built social consensus on the importance of data collection and use in epidemic response and prompted amendment of the IDCPA.120 121 Under the revised Act, health officials can have access to the patients’ personal information in exceptional cases like containment of infectious disease. Article 76-2(1) of the IDCPA enables the KCDC to require medical institutions, pharmacies, corporations, organizations, and individuals to provide information concerning patients and persons feared to be infected. 122 This is augmented by Articles 76-2(2) which equips the Minister of Health and Welfare with extensive power to collect private data from confirmed and potential patients in absence of a warrant from private telecommunications companies and the police agency. Such comprehensive legislative provisions empower authorities to extract surveillance footage, credit card histories and geolocation data of both confirmed and potential patients. This explains, in part, how the South Korean government has been able to rapidly contact-trace its citizens to limit the spread of the virus outbreak.123

In Singapore, the Personal Data Protection Commission issued guidelines clarifying that the coronavirus falls under the emergency exception under the Personal Data Protection Act (PDPA), such that personal data may be collected, used or disclosed without consent for purposes of safeguarding the health of the occupants and contact tracing and other response measures. The collected personal data must continue to comply with all other data protection obligations under the PDPA such as, amongst others, the obligation to protect personal data by making reasonable security arrangements to prevent unauthorized access, collection, use and disclosure, and the obligation to cease retaining such personal data as soon as it is reasonable to assume that the original purpose is no longer being served and retention is necessary for legal or business purposes. 124 125

The Hong Kong Privacy Commissioner clarified that “there are sufficient legal and justifiable bases” on which the government may collect and use information obtainable offline or online with the aid of devices, applications, software or supercomputers with a view to tracking potential COVID-19 carriers or patients in the interests of both the individuals concerned and the public.126

In the absence of a more robust ePrivacy Regulation, the EU will continue to fall back on the old regime of the ePrivacy Directive, leading to potential mismatch and confusion among member states on the continued applicability and practical relevance of the ePrivacy Directive.127

Similarly, in the United States, there is a call to revisit HIPAA regulations in order to enlarge the scope of legislative permission and counteract the destruction of the virus during the current global emergency. HIPAA was designed for the protection of personal data at doctors’ offices and in hospitals and includes provisions for the release of otherwise protected information during emergencies. Many experts, including Glenn Cohen, a bioethics expert at Harvard Law School, have argued that the guiding principle during this crisis should be “sharing more rather than less.”128 Regardless of the merits of these claims, the coronavirus pandemic will likely to spur a careful reassessment of medical privacy laws in the United States for years to come.

Data Anonymization and Protection

Another way that communities around the world can improve privacy outcomes while leveraging the utility of the information itself is through data anonymization and protection. Personal information, especially information that has not been anonymized, must be properly secured and encrypted and access to it must be carefully managed. In the realm of the EU, the GDPR specifically requires measures to implement appropriate data protection principles and safeguard individual rights during the processing activities and business practices from the design stage and throughout the lifecycle.129 130 GDPR further requires systems that are designed to process personal data to ensure data minimization by default, while incorporating all other GDPR obligations into the design of the system.131 132 This option provides governments with the ability to track the movement of their citizens while minimizing the ability of the apps to infringe upon data privacy rights. In the United States, a team led by MIT computer scientist Ramesh Raskar, has released a prototype application, “Private Kit: Safe Paths.”133 Users can provide information about themselves on the app and declare if they are infected or not.134 Their location and movements are logged, stored on the phone in encrypted form and shared with third parties only with prior consent.135 Users can choose to receive notifications if they have been near a confirmed patient, but the app will not divulge the name or identity of individuals, unlike more authoritarian, government-led solutions.136

In South Korea, to protect the information gathered, access to the platform and the level of access will be differentiated according to the duties of the authorities in charge. Under the current arrangement, KCDC officials and local government officials in charge of contact tracing need to have the necessary security clearance to access the collected data. Further, the new data platform designed for virus outbreak runs on a private network to shield the system from hacking and adopts security technologies like double firewalls as well as the thorough log-in management system to avoid abuse of personal information. While in operation, the platform will be constantly monitored by computer security experts and the technology will be constantly updated based on the changing pandemic outlook.137

On the other hand, in most European countries, the use of individual smartphone location data to track the spread of the pandemic would violate national and EU privacy laws. In Berlin, the Fraunhofer Heinrich Hertz Institute is developing an application that anonymously stores information on the proximity and duration of interpersonal connections on a mobile phone for up to two weeks. The application does not use any location data or personal data and the data collected can help the public health department to reconstruct the infection pattern digitally without exposing personally identifiable information.138 139

While these restrictions are acceptable in principle, current technologies might not be able to offer impermeable protection of individual identities. In its letter to the EC, the EDPS emphasized the importance of effective data anonymization using techniques that genuinely block the re-identification of data.140 141 142 Researchers have often demonstrated that anonymized data can easily be reidentified; for example, location data typically includes many easily identified individual tells, such as home address.143 A research study conducted by Imperial College London and Belgium’s Université Catholique de Louvain found that 99.98% of Americans could be correctly re-identified in any dataset using 15 demographic attributes.144 Their results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and provide a serious challenge to the technical and legal adequacy of the de-identification “release-and-forget” model.145 According to the EDPS, effective anonymization requires more than removing obvious identifiers such as phone numbers and International Mobile Equipment Identity numbers; aggregated data can provide an additional safeguard.146 147

Purpose and Time Limitations

A third strategy that can be used to ensure these apps do not outlive their original motivation is to set purpose and time limitations. Personal data that is collected and processed to track the spread of the coronavirus should not be used for any other purpose. According to the GDPR, national authorities should seek to ensure that personal and medical data are exclusively used for public health reasons.148 In South Korea, the scope of data collected is claimed to be kept to a minimum and a due procedure is imposed on the officials in acquiring the data.149 For example, an epidemiological surveyor should decide whether additional collection of personal information is needed. If the answer is in affirmative, the official should seek approval from relevant authorities to get access to the data. As for the location information, separate permission from the National Police Agency is required.150

Nevertheless, when the pandemic subsides, national authorities will need to scale back their expedient monitoring capabilities. As Yuval Noah Harari, an Israeli historian and a professor in the Department of History at the Hebrew University of Jerusalem, observed in a recent article, “temporary measures have a nasty habit of outlasting emergencies, especially as there is always a new emergency lurking on the horizon.”151 Government authorities must reassure their citizens that these exceptional capabilities will not become the new norm.152 This deep concern for privacy was echoed by the Office of the United Nations High Commissioner for Human Rights. In a public statement on March 19, 2020, the monitors of freedom of expression and freedom of the media for the United Nations, the Inter-American Commission for Human Rights and the Representative on Freedom of the Media of the Organization for Security and Co-operation in Europe issued a joint statement about protecting the free flow of information during the pandemic, while stressing that “while we understand and support the need for active efforts to confront the pandemic, it is also crucial that such tools be limited in use, both in terms of purpose and time, and that individual rights to privacy, non-discrimination, the protection of journalistic sources and other freedoms be rigorously protected.”153

Conclusion

In times of conflict and crisis, the argument for executive expediency is frequently voiced as an efficient way to solve the problem. Each case demands a high degree of critical examinations of the broader context and of the applications themselves. Arthur L. Caplan, a bioethics expert at the N.Y.U. School of Medicine, has argued that using law to justify the limited release of aggregate data is counterproductive to the preservation of public safety.154 Only with transparent and comprehensive aggregation of available data can law enforcement agencies, health authorities, and security professionals tasked with protecting the public from harm maximize the efficacy of their unusual measures. Further, it is expected that the private sector, at least in some Asian countries, will continue to surrender to the government necessary information about their users, whether driven by their own social responsibility or as a result of unorthodox governmental sequestration.

There is a role for privacy and a role for technology. Governments, citizens, and industry must work together to achieve the most appropriate balance between these two based on their unique circumstances. However, any juxtaposition between disparate measures undertaken by democratic and authoritarian government in time of a global emergency often overlooks the nuanced menu of legislative and executive prerogatives available to each individual regime. It is therefore important to remember that mandatory data collection and dissemination without explicit authorization and absent clear restrictions on data collection method, time, use and purpose may lead to abuses of digital capabilities and infringements on human rights. Should we anticipate a new wave of judicial reviews on the purportedly excessive use of executive power? Will the zealous mining of personal data ultimately be repulsed by public concerns beyond the COVID-19 crisis? Then, there is an issue on contract. If there are contracts in place between the government and third-party companies that are supplying information about their users to the government, its citizens should be given the right to question the validity of these contracts and their right thereunder. Are citizens of these countries intended to be or legally treated as third-party beneficiaries to these contracts? If so, should individuals have a right to hold the contracting parties accountable for any disproportionate measure undertaken during this time and enforce these breaches as a possible contractual recourse?155 What other measures can be taken to prevent third-party companies from mining such data for their operational gains?

The choices to be made by governments are those of degree, not of kind. At the very least, the contention of this article is that the government should not put the burden on those under surveillance to actively seek out the data-mining entities and request that their data be deleted. Instead, they should design and monitor a system that justifies the need for data collection and implements the checks and balances required to make it proportional, fair, just and humane. As Glenn Cohen said, “Public health depends a lot on public trust. If the public feels as though they are being misled or misinformed, their willingness to make sacrifice [is reduced].”156 Viewed this way, the executive branch of the government must find a delicate balance between the use of technology and data in service of the public good and protecting privacy and avoiding an over-reach on its future uses.

Adam is a senior lawyer with over 12 years of working in the legal and PE industry. Adam specializes in corporate law, M&A and other regulatory and corporate governance matters. Currently, Adam is obtaining an MBA from MIT Sloan focusing on tech entrepreneurship and venture capital.